W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

RE: tracking-ISSUE-266: automatic expiration of a tracking preference exception via API parameter [TPE Last Call]

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 16 Oct 2014 12:44:18 +0100
To: "'David Singer'" <singer@apple.com>, "'Tracking Protection Working Group'" <public-tracking@w3.org>
Message-ID: <011701cfe936$85d3f4c0$917bde40$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In my view web-wide exceptions should be retained because of the transparency issue. OOBC should not become the norm because the mechanism is invisible to UAs, so inaccessible to users. The ability to list the hosts a user has given their consent to should be available to UAs.

Mike

> -----Original Message-----
> From: David Singer [mailto:singer@apple.com]
> Sent: 15 October 2014 18:09
> To: Tracking Protection Working Group
> Subject: Re: tracking-ISSUE-266: automatic expiration of a tracking preference
> exception via API parameter [TPE Last Call]
> 
> I think that this is a problem most conspicuously for web-wide exceptions, and
> they effectively emulate the behavior of cookies but in another way.  (Site-wide
> exceptions and cookies are not similar.)
> 
> The really broken scenario is where the site has a web-wide exception that
> needs to expire for some reason, and the exceptions API doesn’t support expiry.
> To remember the expiry, the site sets an expiring cookie, and questions or
> disregards the exception if either it or the cookie is missing. If the site’s web-
> wide resource is non-scripted it is in no position to do anything about
> confirmation, re-requesting, checking etc. unless the user visits the site itself
> again.
> 
> Issues:
> * why not use just the cookie?
> * if the cookie is missing but the exception is present, which of the following
> occurred?
>   a) the user deleted cookies but the expiry time is not yet reached
>   b) the cookie expired
>   c) the user set their general preference to DNT:0
>  I don’t think the site can tell.
> 
> 
> I therefore think that we should either
> 
> 1] add an expiry parameter to both exception-setting APIs (for regularity, though
> only the web-wide one is problematic)
> OR
> 2] delete web-wide exceptions, since they are simply replicating cookies
> 
> 
> Which do people prefer?
> 
> 
> David Singer
> Manager, Software Standards, Apple Inc.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJUP6+RAAoJEHMxUy4uXm2JXeoIALVV7+1f26EYXbu9np7Uw7lG
juGtrm+Ue90EagUMOpIDErA5bwXEkhnU1LbS5+B2TgA53AzS1DwWTcK5jpLrlYH+
ACMr3Z2HEFNL5uHpI88KMGUB90YDehyEvY4et6icEV/vgSFNS5CrKgngNWDNrnyq
lvqbUzTw9IcR8SZSqfjStGhn7rUzAtY/J0tuHPvtaaTVCIz3izm+xlzYHWiPQihj
/3mF05QWhHlAJ2+GNZauES3WIGCGoq26HBgKICZDis6dj4YAQ7JBUNcFbH/hMQ0V
ur3HpEfhIpkObi9mu0bJCStxvEV0GVXp8xyEy0qmU3Ic/56gzsXhUsClTHjuJW4=
=MA3N
-----END PGP SIGNATURE-----
Received on Thursday, 16 October 2014 11:45:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC